“Cybersecurity Through Obscurity” Is Dead

“Cybersecurity Through Obscurity” Is Dead

Contrary to advice from experts and analysts, many organizations — small businesses and government agencies alike — have relied on obscurity (in one form or another) as a security strategy. How this manifests for different organization types largely depends on their size and the internal security resources they have available to them.

Let’s take a look at two common “mottos” of security-through-obscurity and discuss what makes each of them ineffective.

“We’re too small for cybersecurity.”

An attitude that is common among startups and small businesses is that their organization is simply off the radar of most would-be attackers. The logic then goes that investment in cybersecurity would be an unnecessary expense and fail to produce a meaningful return.

While it may be true that larger companies suffer a higher frequency of targeted attacks, understand that hackers actually seek out smaller and often unprepared businesses because they make easier targets. And before you think the threats are purely technological in nature — phishing, hacking and other “outside” attacks — remember that there’s still a substantial risk within a small business’ employees, which can be either willing or unwitting threats.

“Secret is secure.”

Even companies that have advanced cybersecurity programs still use obscurity as a tactic. In fact, contractors at large government agencies and corporate security programs can sometimes take an even more deliberate approach to it. That is, these groups keep their security controls secret, believing that doing so will prevent hackers from successfully attacking them.

The problem is that groups who fail to disclose their security controls are difficult to evaluate, trust or improve. In their quest to thwart hack attempts, they may actually damage their own credibility and prevent assessment that could lead to better data security. In several recent hacks, such as the Equifax breach, greater transparency could have gone a long way toward limiting the damage.

Rather than keeping information hidden, organizations can aim to have a tighter control on their information while achieving transparency. Establishing firm corporate security governance is the key in this regard.

For consultation on corporate governance, establishing a managed security program or practically any cybersecurity need, Lunarline is here to help. Contact us online today!